A poker software developer plans to implement a fix this week for a vulnerability recently discovered by two security researchers who analyzed one of its gambling applications.
B3W Group, based in Malta, said it had identified the root problem pointed out in a report released last week by Luigi Auriemma and Donato Ferrante of ReVuln, a vulnerability research consultancy also based in Malta.
B3W makes a range of gambling software, including that used for online poker rooms, also known as skins, for variations of poker such as Texas Hold’em, Omaha and Stud. Many poker games require users to download software onto their computers, which then interacts with a web service for a realistic, real-time game play.
ReVuln’s report, which also looked at products from the companies Microgaming and Playtech, focused on poker software since the downloaded client allows attackers to get a good look at part of the game’s software design.
AJ Thompson, B3W’s director of strategy, wrote in an email to IDG News Service that players using its software have not been hacked in 12 years of operating online. B3W takes “our clients’ security extremely seriously,” he wrote.
The researchers found that B3W’s software updates itself over an insecure HTTP connection. Updated files are stored without digital signatures, and “.exe” files are not verified before installation. They also found issues with how B3W’s software stores passwords on a person’s computer.
The industry standard for distributing new poker clients is through content delivery networks, Thompson wrote. B3W uses a CDN from Fileburst.
Using a secure connection with Fileburst is possible, but the digitally-signed security certificate would not match that of the software that is delivered, Thomas wrote. But B3W has found a solution in order to deliver secure updates.
“We have therefore decided to move all client updating to our own data centers over SSL [Secure Sockets Layer] using a signed certificate trusted by the poker client code,” he wrote.
The changes will eliminate three issues outlined by ReVuln, including those around executing an unverified file, a directory transversal issue and a stack-based buffer overflow, Thompson wrote.
B3W hasn’t decided how to handle passwords that are saved by the poker client. Passwords that are not stored by a password key chain can only be obfuscated, and to create a password for a password would be less convenient for players, Thompson wrote.
“We do have a build of a client which does not allow the saving of the password, and we are considering the introduction of this to the core client build,” Thompson wrote.